How set up Ocelot Api Gateway with Azure Active Directory

Question

I followed this tutorial and managed to use api with Azure Active Directory authentication & authorization.

However I would like to consume the api from behind the Ocelot Api Gateway. I could use ocelot with custom basic authorization but could not accomplish to use with Azure Active Directory.

I have added Ocelot api gateway url to my api redirect url list already.

How should I set ReRoutes values in config.json and Ocelot Api Gateway project StartUp.cs ?

Any help will be appreciated.

Answer 1

I was unable to get this working with the "Microsoft.Identity.Web" library. I received a host of errors such as:

AuthenticationScheme: AzureADCookie was not authenticated...

-- and --

Signature validation failed...

Instead, I managed to get the Azure B2C token validation, as well as the scopes, working as follows:

1) ConfigureServices method (Startup.cs):

    services.AddAuthentication(options =>
            {
                options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; 
             })
           .AddJwtBearer(jwtOptions =>
           {
               jwtOptions.Authority = $"{Configuration["AzureAdB2C:Instance"]}/tfp/{Configuration["AzureAdB2C:TenantId"]}/{Configuration["AzureAdB2C:SignUpSignInPolicyId"]}";
               jwtOptions.Audience = Configuration["AzureAdB2C:ClientId"];
               jwtOptions.TokenValidationParameters.ValidateIssuer = true; 
               jwtOptions.TokenValidationParameters.ValidIssuer = $"{Configuration["AzureAdB2C:Instance"]}/{Configuration["AzureAdB2C:TenantId"]}/v2.0/"; 
           }); 

            // Map scp to scope claims instead of http://schemas.microsoft.com/identity/claims/scope to allow ocelot to read/verify them
            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("scp");
            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Add("scp", "scope");


2) Ocelot re-routing configuration:

     {
      "DownstreamPathTemplate": "/{everything}",
      "DownstreamScheme": "http",
      "DownstreamHostAndPorts": [
        {
          "Host": "master-api",
          "Port": 5000
        }
      ],
      "UpstreamPathTemplate": "/master-api/{everything}",
      "UpstreamHttpMethod": [ "POST", "PUT", "GET", "DELETE" ],
      "ReRoutesCaseSensitive": false,
      "AuthenticationOptions": {
        "AuthenticationProviderKey": "Bearer",
        "AllowedScopes": [ "master" ]
      }
    }

3) Azure AD B2C configuration (appsettings.json):

  "AzureAdB2C": {
    "Instance": "https://yourdomain.b2clogin.com",
    "TenantId": "{tenantId}",
    "SignUpSignInPolicyId": "your_signin_policy",
    "ClientId": "{clientId}"
  }

Hope this helps! :)

Answer 2

Eventually I could. First of all thanks to ocelot library because it supports Azure Active Directory authorization.

I assume that you can already completed this tutorial.

1-Create an ocelot api gateway project as usual.

2-Add Microsoft.Identity.Web class library to ocelot project as reference

3-Add ocelot.json and it should be like below

    {
  "ReRoutes": [

    {
      "DownstreamPathTemplate": "/api/{catchAll}",
      "DownstreamScheme": "http",
      "DownstreamHostAndPorts": [
        {
          "Host": "localhost",
          "Port": 44351
        }
      ],
      "UpstreamPathTemplate": "/to-do-service/api/{catchAll}",

      "AuthenticationOptions": {
        "AuthenticationProviderKey": "AzureADJwtBearer",
        "AllowedScopes": []
      }
    }

  ],
  "GlobalConfiguration": {
    "BaseUrl": "http://localhost:7070",
    "RequestIdKey": "OcRequestId",
    "AdministrationPath": "/administration"
  }
}    

4-Edit CreateWebHostBuilder method in Program.cs so that ocelot.json is used as additional config source.

public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
            WebHost.CreateDefaultBuilder(args)
             .ConfigureAppConfiguration((hostingContext, config) =>
             {
                 config.AddJsonFile("ocelot.json", false, false);
             })
                .UseStartup<Startup>();

5-Edit ConfigureServices and Configure methods in Startup.cs like below

public void ConfigureServices(IServiceCollection services)
        {
            services.AddProtectWebApiWithMicrosoftIdentityPlatformV2(Configuration); //this extension comes from Microsoft.Identity.Web class library

            services.AddOcelot(Configuration);
            //services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public async void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            await app.UseOcelot();
        }

6-Last but not least you should add your AzureAd configuration to ocelot api gateway project. (It should be same as ToDoListService for reference tutorial) Her you can see an example appsettings.json .

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "ClientId": "client-id-guid-from-azure-ad",

    /*
      You need specify the TenantId only if you want to accept access tokens from a single tenant (line of business app)
      Otherwise you can leave them set to common
    */
    "Domain": "blablabla.onmicrosoft.com", // for instance contoso.onmicrosoft.com. Not used in the ASP.NET core template
    "TenantId": "tenant-id-guid-from-azure-ad" // A guid (Tenant ID = Directory ID) or 'common' or 'organizations' or 'consumers'
  },
  "Logging": {
    "LogLevel": {
      "Default": "Warning"
    }
  },
  "AllowedHosts": "*"

}

I hope this answer save someones time and make their life happier :)

Happy coding!